Immutable Storage for Ransomware Protection and Recovery

This report was published on August 19, 2021 and written by Todd Dorsey, analyst at DCIG, LLC.

Immutable Storage for Ransomware Protection and Recovery

All organizations need to face an unpleasant truth: It is not a question of “If” they will experience a ransomware attack; it is a matter of “When.” While cybersecurity software serves as a first-line defense vs. ransomware, IT leaders recognize cybersecurity software alone does not thwart all ransomware attacks. And as an assumption an attack may succeed, these leaders also recognize they must protect their production and backup data. Immutable storage can help.

Protecting Data through Immutable Storage
To stop ransomware from encrypting data, administrators may use immutable storage solutions as a viable means of securing and protecting data from attacks.

Multiple immutable storage options now exist from cloud storage and networked storage providers. Once files or data is stored in an immutable state, even ransomware cannot alter the data. These solutions protect data from the attack and provide a source to quickly recover data in an unencrypted format.

Cloud for Immutable Storage
Using cloud storage to store backup and production data appeals to organizations now more than ever. Many cloud storage offerings include data immutability features that deliver in one or both of the following two ways:

• Journaling or versioning file systems. When existing data stored in the cloud gets changed or modified, the cloud does not delete the old version; rather, the cloud versioned file system retains the existing, as well as previous versions of the data as immutable objects. Ransomware may change the visible or current production data; however, ransomware cannot encrypt previously existing data stored in immutable form. Organizations may select a prior, existing version of data and use that version to recover. Some solutions write all files as immutable objects, simplifying the management and recovery of ransomware encrypted data.
• Amazon S3 Object Lock. Object Lock operates like write once, read many WORM storage. Organizations apply and enforce retention policies on data they store in the cloud. Once data gets written, nothing may change or delete the data until the data’s retention period expires.

These two features set cloud storage as a logical option to protect organizational data from a ransomware attack.

Organizations should not automatically equate a solution’s support of cloud storage with protection from ransomware. These solutions must support automatic, or at a minimum, turning on immutable versioning or setting the object lock on the data placed in the cloud. If the solution supports versioning, enterprises should also verify it offers an option to select past points in time for recovery.

Networked Storage with Secure Object Data Stores
More on-premise storage solutions offer immutable data, cloud storage options through a simple storage solution (S3) API. These storage systems provide a standard file system interface that supports the NFS and SMB networked file protocols. In this way, organizations may deploy and access data on these systems like any networked storage solution.

Beneath their file system presentation layer, these storage solutions use an immutable object store. Applications, clients, and users only see and write data to their file system. Once written, the solution automatically stores the data on its underlying object store as immutable objects.

Using this approach, applications, clients and users may still change or delete data presented through the solution’s file system interface. However, the solution’s underlying object store neither changes nor deletes the prior version of the data.
Instead, the storage system’s object store journals all changes. The system chronicles new writes as well as any changes, additions, or deletions of existing data. This technique safely preserves new data as well as the prior, original version of the data. By preserving this data, should a ransomware attack occur, organizations may roll back to a prior point in time.

Immutable Storage – A Critical Role
In summary, every organization should use available cybersecurity software as the first and best line of defense vs. ransomware attacks. Detecting and stopping ransomware attacks still serves organizations better than recovering from an attack. However, cybersecurity software does not provide a foolproof defense vs. these attacks.

This data gap dictates that organizations have a recovery plan in place. Placing data on an immutable storage solution plays a critical role in recovering from a ransomware attack. When stored as immutable objects, all data is preserved in an unaltered state, providing organizations with multiple, viable recovery points.

Used in conjunction with cybersecurity software, these immutability features help ensure organizations have the appropriate defenses in place to protect them from the disruption and costs of a successful ransomware attack.