Data Protection Software

Expand all | Collapse all

Protection from malware like ransomware - details pertaining to SP version 8.1.x included**

  • 1.  Protection from malware like ransomware - details pertaining to SP version 8.1.x included**

    Posted Wed September 12, 2018 06:14 PM

    With the following background info:

    Resiliency in the Face of the 21st Century Disaster - Cyber Threat Mitigation
    Cyber threats are increasingly targeting availability and with ransomware and other attacks frequently going undetected for up to 99 days, the threat of not having a "clean" backup available is a real possibility. Join this webcast to hear how you can contain the impact of incidents, adapt your disaster recovery plan for cyber threats, minimize downtime and ensure successful recovery from a clean copy of data."

    With the following doc from SP 8.1.4 doc:
    Ransomware Directives from SP documentation:
    "Review the policies that are set up for the storage environment to ensure that a "sufficient" number of backup copies are retained and the copies are retained for a "sufficient" number of days."
    For a non-TSM admin, they would just increase the number of copies to their 'sufficient' number; however, to a trained TSM admin, we know that some files that never change from the time they are backed up will only have 1 copy since TSM (SP) uses progressive incremental. So, if using the scenario of multiple disk solution for an active-active model, and with an online network connection between your Hub server and the spoke server, and that we know that ransomware spreads file by file via the OS. If your only protection for that one file is disk, then I think there is very good probability if attacked by ransomware that file will not be able to be restored; However, if that file is also written to tape, then that copy written by the physical tape will not be vulnerable to encryption. Thus, you would have a copy to restore from since, at least right now, ransomware cannot write at the physical layer of a LTO7 drive.

    Thus, what I am wondering: why tape is being discarded by so many companies including mine! In fact, I am still standing for the golden rule of 3-2-1 where, the "2" represents two different media!!! Any others???
    Does the above reasoning make sense? Please help, if I am wrong, that with the cloud, the 3-2-1 rule no longer applies to the new reality! If it does still apply, then why is there no outcry of jeopardizing our data with ignoring this 3-2-1 rule.


    This question was asked to be posted anonymously by a community member who is unable to publicize their company name and sector. I will email the member directly to notify them of responses.

    Kristen Meren
    Community Manager

  • 2.  RE: Protection from malware like ransomware - details pertaining to SP version 8.1.x included**

    Posted Thu September 13, 2018 05:40 AM

    Totally agree with this. Many people consider tape to be a dying technology, when in fact it is a growing market. Most unstructured data that people store in the cloud (photos, music, etc..) is actually stored on tape media. IBM has a roadmap for tape that stretches over 10 years into the future, most disk manufacturers would struggle to provide a 5 year roadmap.

    I still think that the 3-2-1 rule applies, even when talking about backup and DR to the cloud, I always talk about it to customers.

    • 3 copies of your data - one production copy, a local backup copy and a remote backup copy. This is probably the minimum now, as most organisations will have 4 copies, as production data will be mirrored between sites using a business continuity/replication solution.
    • 2 types of media - traditionally this has always been one copy on disk and one copy on tape. Cloud now also provides a different media option. We are seeing a lot of people still using tape for local long term retention, but a cloud copy to replace the legacy off-site tape copy (DR to the cloud)
    • 1 copy off-site - as mentioned above, cloud is often used these days to facilitate the off-site copy, but many people still have tape and store off-site copies in fire safes or remote locations.
    Air gaps solutions are a very hot topic at the moment, as a potential solution to cyber threats. This a sweet spot for tape, as tape provides a native, offline, air gap solution. Tape also allows you to protect your backup meta-data (i.e. the Spectrum Protect database), from cyber threats using WORM media or even by implementing a Spectrum Protect for Data Retention solution, formerly System Storage Archive Manager. If you can't protect/recover your meta-data then you will not be able to recover your backup data or air gap data.

    Please see the blog post I wrote a while ago for some more information on data protection for cyber threats.

    DATA.FYI: Data Protection for Cyber Threats * Digit
    Digit remove preview
    DATA.FYI: Data Protection for Cyber Threats * Digit
    Companies are looking for ways to improve their data security to guard against the rising number of ransomware attacks, whilst also protecting their data from insider threats, such as malicious intent from disgruntled employees. The financial penalties imposed by the GDPR have emphasised this massively.
    View this on Digit >

    Feel free to get in touch if require any more information.


    Darren Sanders
    Principal Consultant
    Celerity Ltd

    #ibmchampion storage

  • 3.  RE: Protection from malware like ransomware - details pertaining to SP version 8.1.x included**

    Posted Fri September 14, 2018 04:57 AM
    I agree - tape on a shelf is the only really 100% ransomware protected media, however there are other options which may be more or less as good:

    Use Node-replication between servers running on dissimilar OSes. It's highly unlikely (but not impossible) for ransomware to run on Windows and Linux/AIX.

    Use a technology like object storage - While it's technically possible for ransomware to destroy S3/SWIFT/MS BLOB, it's highly unlikely and hasn't even been hinted at in the wild (yet).

    Use container pool to tape extent protection - If your container pool gets corrupted the extents can be recovered from tape, so you keep the benefits of tape and dedupe disk.

    There's also some basic mitigation best practice: Don't run your backup servers on the same directory as your production servers.
    • Don't have open shares - this includes Linux/UNIX NFS/SAMBA
    • In Windows make sure file sharing is turned off, use remote desktop to administer, or even better a hardware lights out administration system
    • If you can put the backup servers behind a firewall or similar technology to prevent ports other than 1500 being accessed - this may have performance implications. Use jump servers to administer.
    Oh, and use the new technology in SP to detect unusual amounts of change in clients to give automatic warning for potential ransomware infection.

    Fraser MacIntosh
    Spectrum Software Competitive Analyst