Top 5 Sub-2PB Cyber Secure Backup

Published on March 21, 2024, this market report was written by Jerome M. Wendt, CEO and principal data protection analyst, Data Center Intelligence Group LLC (DCIG).

DCIG announced the availability of the Global Edition of its inaugural Top 5 report on sub-2PB Cyber Secure Backup Targets. The report provides enterprises with guidance on the best cyber secure backup targets to use for storing backups, repelling ransomware attacks, and facilitating restores and recoveries.

Cyber security becomes core backup target feature
Enterprises have historically measured backup targets based on how well they minimally deliver on the following three features:
• Backup throughput speeds
• Data reduction
• Economical storage

Ransomware threats and attacks have forced enterprises to add at least one more core feature to this list: cyber security.

Enterprises and managed service and technology providers now regularly report that many ransomware stains routinely target their backup infrastructures. Some ransomware strains even start their attacks by seeking to compromise or disable backup targets.

This do so in one or more of the following ways:
• Compromise or obtain administrative logins to these systems.
• Delete backups residing on them.
• Encrypt backups residing on them.
• Exfiltrate, or copy, backups from the system to the hacker’s site.

State of cyber secure backup targets
Only recently have storage providers, as a group, begun positioning their NAS solutions as backup targets. Prior to that, few storage providers formally marketed their NAS systems as backup targets. While NAS systems could serve in this role, providers downplayed this functionality.

Today, few providers exhibit any concerns about their NAS solutions being used as backup targets. More than 20 different storage providers promote more than 100 production storage systems on their respective websites as backup targets.

While many of these storage systems support multiple storage protocols, this report focuses on solutions with file protocol support. These support either the NFS, the CIFS, or both.

These NAS solutions provide the following benefits for backup that enterprises frequently want:
• Backup software can easily discover and utilize these solutions as backup targets.
• Client-side software available to accelerate backup throughput.
• Facilitate fast application, and data, restores.
• Fast, easy deployment, setup, and management in enterprise backup infrastructures.
• Readily recognized as a storage target by all commonly used operating systems.
• Utilize standard, cost-effective Ethernet for network connectivity.

Top 5 sub-2PB cyber secure backup targets
Ransomware first attacking backup targets hinders an enterprise’s ability to recover from an attack. Having compromised the backup target in any of these ways, the ransomware then turns to attacking production IT data and systems. If it then succeeds in these attacks in production, enterprises may find themselves without any restoration or recovery options. In preparing this report, DCIG formally evaluated over 100 different storage systems based on multiple different features and capabilities. Thirteen of these solutions met DCIG’s criteria for a Sub-2PB Cyber Secure Backup Target in the Global Edition of this report.

Solutions evaluated
1. Arcserve OneXafe 4500
2. Dell PowerProtect DD6900
3. ExaGrid EX10
4. ExaGrid EX18
5. HPE StoreOnce 3660
6. HPE StoreOnce 5660
7. Huawei OceanProtect X6000
8. iXsystems TrueNAS M30
9. iXsystems TrueNAS R20
10. iXsystems TrueNAS X20
11. Nimbus Data ExaFlash One 12. Quantum DXi4800
13. Starwind Software SA-2AF

The general categories under which the features of these backup targets fell included:
• API/network protocols supported
• Data protection
• Hardware configuration
• Management
• Technical support

Based on these criteria, DCIG awarded the following sub-2PB Cyber Secure Backup Targets, in alphabetical order, a Top 5 ranking:
• Arcserve OneXafe 4500
• Dell PowerProtect DD6900
• ExaGrid EX18
• Huawei OceanProtect X6000
• iXsystems TrueNAS X20

Common features across sub-2PB cyber secure backup targets
Each of these 13 cyber secure backup targets offers the core features that enterprises should prioritize when selecting a Sub-2PB Cyber Secure Backup Target. Across these 13 backup targets, DCIG evaluated over 170 features on each one.

Despite all these solutions scaling from at least 250TB up to 2PB of raw storage capacity, enterprises may only safely assume that each one minimally possesses the following features:
1. Six Ethernet ports. Since each backup target supports file networking protocols, organizations would expect each one to support Ethernet connectivity. Further, organizations might expect each solution to offer numerous Ethernet ports due to the number of petabytes supported. Yet organizations may only safely assume any one of these backup targets to offer 6 ports. Even that number of ports comes with a caveat. Many of the sub-2PB backup targets that offer HA support two controllers in an Active-Passive configuration. In this configuration organizations may only routinely use the Ethernet ports on the Active controller. The remaining ports on the Passive controller remain in standby mode until that controller becomes the Active controller.
2. Can minimally provide 8TB per rack unit. Organizations concerned about the utilization of data center floor space need to pay attention to this metric. Sub-2PB cyber secure backup targets vary widely in their storage density with one model only offering 8TB per rack unit (TB/RU). Another 30% support less than 50TB/RU. On the positive side, 5 models achieve over 100TB/RU.
3. Compression. Due to more storage systems repositioning themselves as backup targets, organizations must verify their data reduction capabilities. With respect to this functionality, organizations may now only assume that all these backup targets offer compression. If they need the solution to deliver de-dupe, they should check further. Only slightly more than 65% offer de-dupe as a core or optional feature.
4. NFS/SMB protocols. As a report that focuses on backup targets that offer file protocol support, one may assume they support either NFS or SMB. That assumption would be correct. Further, every sub-2PB backup target supports both file protocols. However, not every sub-2PB backup target supports the most secure versions of both protocols. NFSv3 represents the most widely supported secure file protocol across these backups targets as over 90% support it. 84% also support the SMBv3 protocol. Organizations should also verify if the backup target supports SMBv1, as nearly 70% do. This may present a security risk in some organizations. Not every model offers the option to disable SMBv1. If enabled on the backup target, this could present an internal cyber security risk.
5. Command line interface. Backup targets offer as many as 15 or more ways for organizations to manage them. In the case of sub-2PB backup targets, organizations may only safely assume they can use a command line interface (CLI) to manage one. However, organizations may also manage over 90%t of sub-2PB backup targets using a web interface.
6. High levels of technical support. Every provider of sub-2PB cyber secure backup targets offers the option to obtain technical support with 4-hour response times. They may access technical support by either email or phone.

Top 5 Sub-2PB Cyber Secure Backup Target – Solution Profiles
Each of the following Top 5 sub-2PB cyber secure backup target solution profiles high- light at least 3 ways each solution differentiates itself. These differentiators represent some of the best methods that sub-2PB cyber secure backup targets offer to backup, restore, and/or secure data stored on them. Within each solution, organizations may find features that may better meet their specific needs.

Arcserve OneXafe 4512
The company distinguishes itself with a focus on data protection solutions for SMEs. The OneXafe 4500 aligns well with its overall data protection strategy. While any backup software may use OneXafe, Arcserve Unified Data Protection (UDP) backup software already integrates with OneXafe.

Through this integration with UDP, organizations may choose from different compression, de-dupe, and encryption features available on each product. The 2 products then work together to optimize these settings to achieve better data storage and performance results.

Cyber secure features that the ArcServe OneXafe 4512 offers that help differentiate it from other Top 5 sub-2PB cyber secure backup targets include:
• Built atop an underlying object-based storage system. The OneXafe 4512 presents a standard le system interface using common CIFS and NFS protocols acces- sible by any backup software. However, this le system overlays object-based storage. This equips OneXafe to automatically store any backup data in an immutable format. OneXafe delivers on this ideal by only writing data as objects once and then never modifying them. It then encrypts each object and protects it with a cryptographic hash.If existing backups do get overwritten or changed, It creates new objects while preserving the existing ones.
• Scale-out file system. Arcserve offers 3 OneXafe models ranging in capacity from 96 to 216TB in raw capacity. These various capacities position organizations to start with a single OneXafe with only the capacity they need. However, backups can grow quickly which may necessitate adding OneXafe models that offer more capacity and performance. OneXafe’s scale-out file system makes this proces a straight forward task. Each time an organization introduces a new model, or node, it can add it to the existing OneXafe cluster. The OneXafe scale-out file system then automatically balances the data between the nodes in the new cluster. It performs this task without configurations changes or application downtime.
• Includes continuous data protection. Organizations may use OneXafe as either a backup target or a general-purpose file server. Regardless of how they use it, OneXafe performs continuous data protection (CDP) by continuously taking immutable snapshots across the entire. For newly stored data, it takes a snapshot every 90s for the 1st hour. After that, it takes hourly, daily, and monthly snapshots. This gives organizations multiple recovery points from which to choose for restores in the event of a ransomware attack.

Dell PowerProtect DD6900
It represents the modern iteration of one of the original disk-based backup targets. In its early releases, PowerProtect (formerly Data Domain) focused on delivering high de-dupe ratios and backup throughput rates. These factors led to it becoming a widely adopted purpose-built backup target used by many organizations.

While these attributes persist, Dell has in recent years added more optional cyber security features to better address ransomware’s threat. For instance, organizations may obtain the DD6900 as a highly available solution with 2 controllers in an active-standby con guration.

Other features that the PowerProtect DD6900 offers that further help differentiate it from other Top 5 sub-2PB cyber secure backup targets include:
• Two data immutability options. Organizations may implement data immutability on the DD6900 by licensing one or both of its 2 optional Retention Lock features. The Governance Retention Lock option permits DD6900 to lock backups so no user may change or delete them. However, using this option, individuals with administrative privileges may still alter file permissions. If changed, one may then again modify or delete backups. The DD6900’s more stringent Compliance Retention Lock license prevents even administrators from making any changes or deletions to backup. Once set, no one may change or delete backups until after the expiration of the preset backup date.
• PowerProtect Cyber Recovery. Organizations may centralize and automate the isolation of their backups using separately licensable PowerProtect Cyber Recovery software. It specifically relies upon the PowerProtect DD6900’s replication and Retention Lock features to isolate, secure, and restore backups. It may store and secure backups on-premises, at another location, or in AWS, Azure, or Google Cloud.
• Detects ransomware in backups. Organizations that use PowerProtect Cyber Recovery solution also gain access to CyberSense. CyberSense performs full content indexing of backups once they are vaulted. It also utilizes ML to analyze content-based statistics and detect signs of corruption potentially caused by ransomware. Should a ransomware event occur, CyberSense can provide post-attack forensic reports. They help organizations grasp the breadth and depth of the attack and identify potentially good backups to use for restores.

ExaGrid EX18
The company distinguishes itself as being the only Top 5 provider to focus exclusively on delivering and optimizing backup targets. It delivers the EX18 as a scale out solution that offers the option to start with a single appliance. It may then scale up to 32 appliances in a single logical configuration.

Each EX18 contains 48TB raw storage that when fully scaled out offers about 1.5PB of raw capacity (~1.1PB usable.) When fully configured, organizations may obtain up to 115TB/hour of backup throughput.

The firm minimizes or eliminates the need for organizations to perform forklift upgrades of the EX18. Organizations may mix and match any age or size appliance from ExaGrid’s 7 different Tiered Backup Storage models in the same scale-out system. This mix spans older and newer models so organizations may upgrade and deploy only the amount of storage needed.

Other features that the EX18 offers that further help differentiate it from other Top 5 sub-2PB cyber secure backup targets include:

• Concurrently utilizes multiple features for backup acceleration. The vendor represents one of the few providers that only uses HDDs in its backup targets.

To deliver higher performance than even SSD-based backup targets, it minimally uses the following three different techniques:
1. It optimizes its file system for ingesting large file backup jobs.
2. Uses job concurrency for parallel backups including integrations with the backup application for front-end load balancing.
3. It offers a disk-cache Landing Zone so backups complete uninterrupted. Its global de-dupe only begins after backup writes complete.

• Creates a tiered air gap with a delayed delete policy. The vendor recognizes ransomware may attack backups stored on its Landing Zone. To protect these backups, it takes the following 2 steps.

First, as backup writes complete, ExaGrid immediately copies, de-dupes, and stores data on a non-network facing, air-gapped Repository Tier. Stored in an immutable format, ransomware can then neither access nor change data stored on this tier.

Second, it offers a configurable delayed delete policy. Backup targets themselves have become susceptible to ransomware attacks with bad actors attempting to log into devices. Implementing the delayed delete policy prevents backups from being deleted even should a hacker take control of an ExaGrid system. Any commands issued to delete data must wait the time speci ed in the delayed delete policy before a deletion occurs.

• Assigns level 2 senior support engineers to each customer account. Backup challenges inevitably emerge in every organization. To help quickly resolve them, ExaGrid assigns a level 2 senior support engineer to each customer account. This helps engineers become familiar with the customer’s backup environment and its history. Customers may contact their assigned engineer directly to receive support without waiting on a support line or in a ticketing system. ExaGrid has support engineers located around the world.

Huawei OceanProtect X6000
The company distinguishes itself by being the only provider to develop and manufacture all software and hardware in all its solutions. It adopted this approach for multiple reasons. Using the same software across all its backup, cloud, and storage solutions provides the same management experience across them. This then positioned Huawei to make ransomware protection capabilities available across all its solutions.

On the hardware side, the firm delivers high levels of availability in each of its backup solutions. The OceanProtect X6000 illustrates this capability. It represents the only sub-2PB cyber secure backup target to offer active-active storage controllers with both all-flash and all-HDD models. In this configuration, both controllers simultaneously access all backend storage to provide HA and performance.

Cyber secure features that the OceanProtect X6000 offers that help differentiate it from other Top 5 sub-2PB cyber secure backup targets include:
• Air gap replication and ransomware checks. Using the OceanProtect X6000 organizations may configure a replication SLA. This setting determines the replication frequency and when the network link becomes active.

The OceanProtect 1st makes copies of backups in the form of read-only snapshots on the primary OceanProtect X6000 target. Once created, the Air Gap network link goes live. It then replicates the snapshots from the primary backup target to the X6000 in the isolation environment. The network link then gets turned off.

Once off, the X6000 in the air gapped environment encrypts the replicated snapshots and checks them for ransomware. If it does not detect any ransomware, it applies compliance WORM attributes to the snapshots to prevent data tampering.

• End-to-end data encryption. To counter the growing problem of data leakage, or exfiltration, during ransomware attacks, the OceanProtect X6000 offers end-to-end (E2E) data encryption. It encrypts data at-rest using AES-256 array-based encryption. Organizations may choose from SMBv3, NFSv4.0, or NFSv4.1 encryption to replicate data in-flight during air gap and remote replication. The OceanProtect X6000 accounts for encryption’s overhead with its many multi-core CPUs.

• Scan backups for ransomware by connecting to its OceanCyber data security appliance. Despite all the precautions that organizations take to protect their data from ransomware, ransomware may still slip in undetected. This may occur due to new strains coming in undetected by current organizational anti-malware and rewall software. To counter this, Huawei also offers its OceanCyber data security appliance for more holistic data protection.

The OceanCyber data security appliance connects to multiple firm’s storage systems, including the OceanProtect X6000. Using OceanCyber appliances, organizations may set and manage security policies to monitor and alert for ransomware across these systems. It can scan data at up to 50TB/hour for ransomware and generate alerts if it detects any anomalies.

iXsystems TrueNAS X20
The company represents one of multiple storage providers that has for years offered cost-effective storage systems used as backup targets. It offers the choice of TrueNAS on either FreeBSD or Debian Linux, both Open Source operating systems, and their OpenZFS file system. Using this approach, it has steadily increased the number of relevant backup target software features on them.

For instance, the TrueNAS X20 includes many of the software features often associated with a backup target. These include compression, de-dupe, snapshots, replication, and even read and write acceleration. Firm’s approach to software development has resulted in the price of TrueNAS X20 remaining attractive, starting as low as $12,000.

However, organizations that need dual controller or higher levels of support should expect to pay more.

Cyber secure features that the TrueNAS X20 offers that help differentiate it from other Top 5 sub-2PB cyber secure backup targets include:

• Built-in data immutability. Using OpenZFS as its underlying file system grants the TrueNAS X20 access to built-in data immutability. Anytime data gets changed or overwritten, TrueNAS automatically retains any blocks containing old data. This is known as copy-on-write. Using this feature, should ransomware attack data on the X20, organizations may roll back to prior backups. The X20’s snapshot feature capitalizes on the inherent copy-on-write feature by taking read-only snapshots. Each snapshot records all the data and metadata blocks that comprise the file system at the time of the snapshot.

• Offers multiple encryption options. Data leakage represents one of the bigger threats that any ransomware event presents to organizations. To mitigate the impact of any data leakage, the TrueNAS X20 can encrypt data both at-rest and in-flight. Organizations may order X20 models with self-encrypting drives, either SSDs or HDDs. This option minimizes the possibility of data leakage in the event of hardware theft or compromise. They may also encrypt data at-rest using the TrueNAS X20’s OpenZFS. It encrypts block, file, and object data at-rest. Finally, organizations may use TrueNAS to encrypt data-in-flight, such as when they replicate data between TrueNAS systems.

• Can synchronize data with multiple cloud providers. Moving data offsite to the cloud creates an air gap that further helps protect organizational data from ransomware attacks. Storing data on cloud object storage with object lock enabled also provides another layer of data protection. The TrueNAS X20 Cloud Sync feature equips organizations to perform this task.

Included with TrueNAS, Cloud Sync can replicate data to cloud storage from the over 15 different providers it supports. TrueNAS can both transfer data to (push) or transfer data from (pull) any of the supported cloud providers. Many organizations will configure Cloud Sync to push backups to the cloud on a regular schedule. However, if they need to restore, they can access that same task, expand it, and click on Restore to pull data back.