The air gap problem in an automated service
That poses a problem for backup and DR, because the future of both functions is clearly delivery as a service. CIOs want to minimize the amount of on-prem infrastructure they have to maintain and manage, and with the rise of edge computing, it’s now possible to overcome the cloud’s inherent latency to provide complete, high-performing infrastructure services. So let’s look at the problem of protecting backups when they are created as part of a fully automated system.
The most effective way to protect backups from being cryptographically shredded by malware is to create an “air gap,” which means the backup and DR files are completely disconnected from the network. In a traditional backup system, this can be accomplished in a number of ways. If backing up to tape, once the tapes are written to, they’re removed from the recording device and stored somewhere offsite. If writing to disk, each disk can be removed from the network once the backup is complete, reconnecting them when it comes time to recover.
But in an automated service that’s operating at scale, it’s too cumbersome, slow and expensive to have someone manually disconnect the media on which backups are stored. And when IT needs to recover data, someone needs to go find the backup and connect it to the network. This extra step will substantially increase recovery time objectives (RTOs). The whole point of backup-as-a-service and DR-as-a-service is to 1) simplify the process so that IT no longer has to spend precious time and effort on it, and 2) increase efficiency to achieve much smaller recovery point objectives (RPOs) and RTOs.
Read our solution brief: Bulletproof Ransomware Protection
ClearSky’s air gap for backups
No responsible organization would deploy storage without also having a backup and DR system to protect it, so why should they be separate? At ClearSky, backup and DR are built into our on-demand storage service and included at no additional charge. The service takes snapshots of the entire storage environment as often as every 10 minutes without any performance impact on the production environment, and IT can recover even very large amounts of data in mere minutes.
So how do we protect these backups from ransomware attacks? We emulate an air gap.
To explain how we do this, I should first talk a bit about the ClearSky service architecture. The master copy of all data, as well as all snapshots of the storage environment, are ultimately stored in a backing cloud, but because cloud data centers are built so far away from big cities, the distance introduces unacceptable latency. To overcome this latency, we use an intelligent algorithm that caches hot data in a fully-managed, 2U device on-prem to provide flash performance. Additionally, ClearSky caches both hot and warm data (data that may be needed sometime in the next four to six months) at a nearby point of presence (PoP). Snapshots are available at both the PoP and in the cloud.
Learn how ClearSky customers have achieved backup independence
To emulate the air gap, all snapshots are stored as read-only files. They’re immutable and cannot be changed, and to provide an extra layer of protection, ClearSky requires two-factor authentication to access any of the backup and DR files. So not only can ransomware not access the files, even it if could, they aren’t stored in such a way such that the malware could modify them.
As a result, we have the functional equivalent of an air gap in our fully automated backup and DR services. And, thankfully, because recovery is so fast, organizations using our on-demand storage service don’t have to wait weeks or months to get back their data. You’ll be back up and running in minutes, making ransomware one more thing that IT pros don’t have to worry about with ClearSky.
Interested in learning more about how ClearSky can protect you from ransomware while cutting the TCO for storage in half? Sign up for a demo today