Immutable Data Architectures: A Defensive Hybrid Cloud Posture Against Ransomware
Ransomware relentlessly targets employees and organizational infrastructure, and it is expected to infect businesses and government organizations every 11 seconds by next year. These schemes are even more insidious when considering that each time attackers are paid off, the victims are forcibly funding the development of newer and more complicated exploits. Worse yet, there is no guarantee that all affected data will be decrypted and unlocked, and the very code delivered to free data in the first place could infect other systems and trigger future ransoms.
This is of particular concern when it comes to cloud-based file systems. These platforms, which can combine the benefits of cloud and on-premises services to manage and share files on a global scale efficiently, are an obvious attack vector for bad actors. This is in large part due to the costly impact of business disruption and potential paralysis of workflows due to loss of data availability.
The enterprise now deals with increasingly large files and vastly increased amounts of data that needs to be shared across multiple offices for collaboration among remote teams — especially as business shifts to new workforce models in response to the pandemic. Perimeter and endpoint protections are inadequate to handle the ransomware threat because they imply that employees, contractors, partners, and anyone with credential access to a network are resistant to social engineering. Examples of this include fake emails, phony web pages, deceptive software downloads and updates, and even illicit web-based instant messages.
Toward immutable architectures
No amount of training and education will realistically suppress attacks or achieve total compliance with digital-security hygiene best practices. Research and advisory firm Gartner has identified approaches that protect cloud-native applications and business initiatives as crucial trends toward improving overall ransomware resiliency. To that end, if executed well, near invulnerability to ransomware can realistically be achieved with immutable data architectures.
Immutable data architecture means that once written, data cannot be changed, and if it cannot be changed, it cannot be encrypted by ransomware. However, by their nature, global file systems acknowledge that files are dynamic and frequently change, making immutability an elusive engineering goal for the CISO, CSO, and IT department leaders.
At the heart of every ransomware attack is the ability for files to be modified once they are accessed. Current models aim to ensure that the master copy of data itself cannot be altered once it is written, but this assumes that nefarious updates will not be successful— experience with ransomware shows that this is simply not the case.
When changes are made to a file, one method to achieve this is to write those new or changed blocks to additional objects in the cloud. Whereas traditional NAS-based file systems allow changes made to a file to alter the file itself, this approach sees any file changes treated as changed data blocks. That means that frequent data synchronization events can occur both to the cloud and every local location in a network. This is similar to how Automatic Synchronization Transactions are retried at regular intervals by the client-side Sync Agent in an Oracle database if synchronization fails because of a network error—as a persistent, objective data recovery point.
Under this approach, if ransomware gets past cyber defenses and encrypts data, local filers can write the resulting encrypted files to a cloud object store as new data. Pre-existing data is unaffected and preserved as original objects in the object store, which means that all files encrypted by the ransomware code can be restored to their previous state. Ideally, this can be done for a single file, entire directories, or an entire global file system. Recovery would mean reinstating the previous, unencrypted version of a file, directory, or file system.
The recovery point objective itself is dependent on the frequency with which snapshots move data from each network location to the cloud and the snapshot frequency within the cloud store itself, each of which provide point-in-time recovery.
The time to recovery depends on how granular the affected business wants it to be. If, for example, the file system is to be restored to the most recent unaffected snapshot, the process is fast. However, it risks unnecessarily overwriting good data. As a result, it may be preferable to spend a little longer to perform a more targeted recovery that retains all unaffected files and replaces those that have actually been encrypted. Either way, exposure to file damage or loss is minimized, and data recovery is achieved without paying a cent in ransom.
Core technical considerations
From a technical standpoint, services on the front end — or client-side — of a filer can be serviced by either the SMB or NFS protocols. With this model, services can be created, modified, or deleted as needed, providing users have the appropriate file permissions to do so.
The filer can write all of each file’s data to a configured cloud such as AWS, Azure, Google, IBM, Dell/EMC ECS object storage, or any number of private or public object stores. The data architecture is immutable in the sense that a filer will never change any data that has been written to the object store, even though changes can be made to the resulting files. For example, when you save a file, a filer can split that data into multiple objects and cache those blocks for fast access. When changes are made, the filer will write those changed or new blocks to additional objects in the cloud but not modify an existing object in the cloud.
When a file is opened, it can simply be decrypted to rehydrate the associated data blocks and deliver them to the client as a complete file. This is an effective defense because ransomware encrypts all data with a key to which only the attacker has access. This key is what victims pay for. If all of the data can never be modified, then it cannot be held ransom.
Moreover, with immutable data architecture, the resulting encrypted files are written as new data if ransomware encrypts data. Since existing data is preserved as original objects in the object store, any file encrypted by the ransomware code can be immediately reverted back to its last state before infection. This can be easily done for a single file, entire directories, or even the entire global file system.
Ransomware is a difficult and expensive problem that targets both infrastructure and employees. As hackers continue their attempts to access data, the systems that store it must adapt with new approaches to stay one step ahead. While no strategy for data security can offer a guarantee that it is totally impervious to attack, an immutable data architecture within filers themselves can provide protection against ransomware and give peace of mind to the modern enterprise.