Top 5 2PB+ Cyber Secure Backup Targets

Published on February 1, 2024, this market report was written by Jerome M. Wendt, CEO and principal data protection analyst, Data Center Intelligence Group LLC (DCIG).

2024-25 DCIG TOP 5 2PB+ Cyber Secure Backup Target Global Edition Report Now Available

DCIG is announces the availability of the its 2024-25 TOP 5 2PB+ Cyber Secure Backup Target Global Edition Report. This report provides guidance on the Top 5 cyber secure backup targets that enterprises should consider in their fight against ransomware. They afford enterprises the best options for accelerating backups, repelling ransomware attacks, and facilitating restores and recoveries.

Cyber security becomes core backup target feature
Enterprises have historically measured backup targets based on how well they minimally deliver on the following 3 features:
• Backup throughput speeds
• Data reduction
• Economical storage

Ransomware threats and attacks have forced enterprises to add at least one more core feature to this list: cyber security.

Enterprises and managed service and technology providers now regularly report that many ransomware stains routinely target their backup infrastructures. Some ransomware strains even start their attacks by seeking to compromise or disable backup targets.

This do so in one or more of the following ways:
• Compromise or obtain administrative logins to these systems.
• Delete backups residing on them.
• Encrypt backups residing on them.
• Exfiltrate, or copy, backups from the system to the hacker’s site.

State of cyber secure backup targets
Only recently have storage providers, as a group, begun positioning their NAS solutions as backup targets. Prior to that, few storage providers formally marketed their NAS systems as backup targets. While NAS systems could serve in this role, providers downplayed this functionality.

Today, few providers exhibit any concerns about their NAS solutions being used as backup targets. More than 20 different storage providers promote more than 100 production storage systems on their respective websites as backup targets.

While many of these storage systems support multiple storage protocols, this report focuses on solutions with file protocol support. These support either NFS, CIFS or both.

These NAS solutions provide the following benefits for backup that enterprises frequently want:
• Backup software can easily discover and utilize these solutions as backup targets.
• Client-side software available to accelerate backup throughput.
• Facilitate fast application, and data, restores.
• Fast, easy deployment, setup, and management in enterprise backup infrastructures.
• Readily recognized as a storage target by all commonly used OSs.
• Utilize standard, cost-effective Ethernet for network connectivity.

Top 5 2PB+ cyber secure backup targets
Ransomware first attacking backup targets hinders an enterprise’s ability to recover from an attack. Having compromised the backup target in any of these ways, the ransomware then turns to attacking production IT data and systems. If it then succeeds in these attacks in production, enterprises may find themselves without any restoration or recovery options.

In preparing this report, DCIG formally evaluated over 100 different storage systems based on multiple different features and capabilities. 27 of these solutions met its criteria for a 2PB+ Cyber Secure Backup Target in the Global Edition of this report.

Solutions evaluated
1. Dell PowerProtect DD9400
2. Dell PowerProtect DD9900
3. ExaGrid EX27
4. ExaGrid EX36
5. ExaGrid EX54
6. ExaGrid EX84
7. ExaGrid EX189
8. Huawei OceanProtect X8000
9. Huawei OceanProtect X9000
10. Infinidat In niBox F6320
11. Infinidat In niGuard 83420
12. InforTrend EonStor CS 4000
13. InforTrend EonStor GS 4000
14. iXsystems TrueNAS M40
15. iXsystems TrueNAS M50
16. iXsystems TrueNAS M60
17. iXsystems TrueNAS R50
18. Nexsan Unity NV10000
19. Pure Storage FlashArray//E
20. Pure Storage FlashBlade//E
21. Pure Storage FlashArray//C90
22. Qnap TS-h2287XU-RP
23. Quantum DXi9000
24. Quantum DXi9100
25. RackTop Systems BrickStor SP BSND41025
26. RackTop Systems BrickStor SP BSND41125
27. Vast Data Platform

The general categories under which the features of these backup targets fell included:
• API/network protocols supported
• Data protection
• Hardware configuration
• Management
• Technical support

Based on these criteria, DCIG awarded the following 2PB+ Cyber Secure Backup Targets a Top 5 ranking:
• ExaGrid EX189
• Huawei OceanProtect X9000
• Infinidat Infinibox/InfiniGuard
• Nexsan Unity NV10000
• Vast Data Platform

Common features across 2PB+ cyber secure backup targets
Each of these 27 cyber secure backup targets offers the core features that enterprises should prioritize when selecting a 2PB+ Cyber Secure Backup Target. Across these 27 backup targets, DCIG evaluated over 170 features on each one.

Despite all these solutions scaling to 2PB or higher, enterprises may safely assume that each one minimally possesses the following features:

Four Ethernet ports. Since each backup target supports file networking protocols, enterprises would expect they support Ethernet connectivity. Further, enterprises might expect each solution to offer numerous Ethernet ports due to the number of petabytes supported. Yet enterprises may only safely assume the availability of four Ethernet ports on any of these systems. However, over 90 percent scaled to offer up to eight ports.
Can fit 100TB in every rack unit. Data center floor space remains some of the most expensive real estate in the world. This often makes optimizing every square inch of available space an imperative. Cyber secure backup targets do their part. Each one can hold no less than 100TB per rack unit (TB/RU). Further, over 85% of these backup targets can achieve up to 250 TB/RU.
Compression. Due to more storage systems repositioning themselves as backup targets, enterprises must verify their data reduction capabilities. With respect to this functionality, enterprises may now only assume that all these backup targets offer compression. If they need the solution to deliver de-dupe, they should check further. Only slightly more than 75% now offer de-dupe as a core or optional feature.
NFSv3/SMBv2. As a report that focuses on backup targets that offer file protocol support, one may assume they support NFSv3/SMBv2. That assumption would be correct. However, enterprises should not assume these backup targets support all versions of these two file protocols. SMBv3 represents the next most widely supported protocol across these backups targets as nearly 90% support it. Enterprises should also verify if the backup target supports and enables SMBv1 by default, as about 50% do. If enabled and using SMBv1 on the backup target, this could present an internal cyber security risk.
Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). Storage systems of any type integrating with and supporting AD and LDAP were once more the exception than the rule. No more. The threat of ransomware has led to more storage providers implementing better forms of identity management on their storage systems. As it pertains to these 2PB+ cyber secure backup targets, all now support AD and LDAP.
Email alerts, notifications, and technical support. 2PB+ cyber secure backup targets use at least 8 and possibly more means to send out alerts and warnings. However, email represents the only alert and notification feature that enterprises may assume every backup target supports. This even extends to technical support. Enterprises cannot simply assume that because a backup target scales over 2PB that it offers other means of technical support. They can only assume that it offers email technical support.

Top 5 Cyber Secure Backup Target Solution Profiles
Each of the following Top 5 cyber secure backup target solution profiles highlights at least three ways each one differentiates itself. These differentiators represent some of the best methods that cyber secure backup targets offer to back up, restore, and/or secure data stored on them. Within each solution, enterprises may nd specific features that may better meet their specific needs.

ExaGrid EX189
ExaGrid distinguishes itself as the only scale-out backup target to achieve a Top 5 ranking. Scaling out to 32 appliances, the EX189 offers nearly 14PB of raw capacity (~12PB usable) in its largest configuration. It can take in over 6PB in a full backup into a single system.

Its scale-out architecture helps organizations minimize or eliminate the need for enterprises to perform forklift upgrades. Enterprises may also mix and match any age or size appliance of ExaGrid’s seven different Tiered Backup Storage models in the same scale- out system. This includes older and newer models so enterprises can seamlessly upgrade and deploy only the storage that they need.

Other features that the EX189 offers that further help differentiate it from other Top 5 2PB+ cyber secure backup targets include:

• Concurrently utilizes multiple features for backup acceleration. The company represents one of the few, if not the only provider, that only uses HDDs in its backup targets. To deliver faster backup performance than many SSD-based targets, it minimally uses the following 3 different techniques:
1. It optimizes its file system for ingesting large file backup jobs.
2. Uses job concurrency for parallel backups including integrations with the backup application for front-end load balancing.
3. It offers a disk-cache Landing Zone so backups complete uninterrupted. Its global de-dupe only begins after backup writes complete.

• Creates a tiered air gap with a delayed delete policy. ExaGrid’s need to expose the Landing Zone on its systems does make that feature susceptible to ransomware attacks.

The vendor addresses this concern by offering 2 other features.

First, as backup writes complete, it immediately copies, de-dupes, and stores data on a non-network facing, air-gapped Repository Tier. Stored in an immutable format, ransomware can then neither access nor change data stored on this tier.

Second, it offered a configurable delayed delete policy. Backup targets themselves have become susceptible to ransomware attacks with bad actors attempting to log into devices. Implementing the delayed delete policy prevents backups from being deleted even should a hacker take control of an ExaGrid system. Any commands issued to delete data must wait the time specified in the delayed delete policy before a deletion occurs.

• Assigns level 2 senior support engineers to each customer account. Backup challenges inevitably emerge in every enterprise. To help quickly resolve them, the company assigns a level 2 senior support engineer to each customer account. This helps engineers become familiar with the customer’s backup environment and its history. Support calls placed to company then immediately get routed to their assigned engineer who are located around the world.

Huawei OceanProtect X9000
Huawei distinguishes itself by being the only provider to develop and manufacture all software and hardware in all its solutions. It adopted this approach to achieve higher levels of resiliency in its offerings.

Equally notable, it uses the same software across all its backup, cloud, and production storage solutions. This positions enterprises to move applications and work- loads between any of these environments and expect the same experience. Further, any firm’s storage customer gains access to the ransomware protection capabilities available in all its storage solutions.

Cyber secure features that the OceanProtect X9000 offers that help differentiate it from other Top 5 2PB+ cyber secure backup targets include:

• Air gap replication. Using the OceanProtect X9000 enterprises may con gure a replication SLA. This setting determines the replication frequency and how often the network link becomes active.

The OceanProtect 1st makes copies of backups in the form of read-only snapshots on the primary OceanProtect X9000 target. Once created, it replicates snapshots from the primary OceanProtect backup target to one in the isolation environment.

The network link between the production and isolation OceanProtect systems only becomes active when replication occurs. This ensures data copies at the isolation site remain of one most of the time to minimize their exposure to of attacks. It also reduces the probability that any backups infected with ransomware get replicated to the isolation site.

• End-to-end data encryption. To counter the growing problem of data leakage, or exfiltration, during ransomware attacks, OceanProtect offers end-to-end data encryption. Using AES-256 encryption, it encrypts data at-rest using array encryption and infight during air gap and remote replication. To handle encryption’s overhead, a single OceanProtect X9000 system can scale to hold over 1,500 CPU cores.

• Scan backups for ransomware by connecting to its OceanCyber data security appliance. Despite all the precautions that enterprises take to protect their data from ransomware, it may still slip in undetected. This may occur due to new strains coming in undetected by current enterprise anti-malware and rewall software. To counter this, the company offers its OceanCyber data security appliance.

It connects to 4 different firm’s storage systems, to include the OceanProtect X9000. Using OceanCyber appliances, enterpises may set and manage security policies to monitor and alert for ransomware across these systems. It can scan data at up to 50TB/hour for ransomware and generate alerts if it detects any anomalies.

Infinidat InfiniBox/InfiniGuard
The complementary Infinidat InfiniBox F6320 and InfiniGuard B4320 cyber secure backup targets meet competing enterprise backup requirements. Both backup targets utilize the same underlying OS (InfuzeOS) that facilitates fast backups. However, each model includes specific features to address the competing backup and recovery requirements that enterprises may have.

Each enterprise’s requirements for how they manage backups and for facilitating fast recoveries will influence their choice between these two Infinidat systems. Enterprises that need a backup target that maximizes available storage capacity should choose the InfiniGuard B4320. This model scales to over 50PBs of storage capacity, offers data de-dupe, and uses an InfiniBox as its back-end storage. Those enterprises that need the backup target to host application and data recoveries should give preference to the InfiniBox F6320.

Other features that the InfiniBox F6320 and the InfiniGuard B4320 offer that further help differentiate them from other 2PB+ cyber secure backup targets include:

• Built-in IndiniSafe cyber storage technology. The InfiniSafe feature represents, perhaps, Infinidat’s most distinguishing feature set when compared to other cyber secure backup targets. Included as a core feature on both the InfiniBox and InfiniGuard, InfiniSafe offers key cyber security features that enterprises need today.

These include immutable snapshots, logical air-gapped data protection, a fenced forensic network, and near-instantaneous recoveries. Infinidat guarantees recoveries in 20mn or less for the InfiniGuard B4320 and under 1mn for the InfiniBox F6320, regardless of the dataset size.

Its fenced forensic network specifically stands out among available backup targets. Enterprises may validate backups during recoveries in a private network environment. This helps to ensure recovered backups are ransomware-free so enterprises may safely use the data in production.

• Both systems offer high availability with redundant storage hardware. The 2 Infinidat solutions illustrate why highly available backup targets have become a necessity for enterprises. In addition to continually servicing backups, backup targets may also need to facilitate fast restores and perform forensic analysis.
The InfiniBox and InfiniGuard facilitate both of those activities with the InfiniBox optimized for hosting recoveries. The company delivers these high levels of availability and performance. Its storage architecture inherently provides a triple-active redundant architecture that ensures that the critical hardware and software components of each system have at least 2 redundancies. Further, its Infini RAID technology maintains data integrity beyond normal RAID limitations.

• 100% system availability guarantee. Many providers of high-end storage systems jockey for position as to how many “nines” of availability their solution provides. The manufacturer minimizes the need for enterprises to have to make calculations for how much downtime they might expect annually. Rather, it provides a 100% system availability guarantee specifically for its InfiniBox systems.

Nexsan Unity NV10000
Having just celebrated its 25th year of providing storage solutions, Nexsan differentiates itself from competitors by providing cost-effective, reliable storage. The durability of its storage systems has also become well-documented in the storage industry as they exemplify the “set-it-and-forget-it” tagline.

The Unity NV10000 represents one of firm’s 4 lines of storage systems. It offers a unified storage interface (sometimes referred to as universal storage) with support for block, file, and object storage network protocols.

As a cyber secure backup target, enterprises often utilize the Unity NV10000’s NAS interface. However, they may access and use its other storage network protocols at any time since the vendor offers all-inclusive software licensing.

Other features that the Unity NV10000 offers that further help differentiate it from other 2PB+ cyber secure backup targets include:

• Highest terabytes per rack unit (TB/RU) of any 2PB+ cyber secure backup target. Every enterprise knows how much their data center space costs. The Unity NV10000 separates itself from all competitors by effectively utilizing available rack space. When fully populated, it achieves nearly 10PB per RU. The vendor specifically engineers the Unity NV10000 to account for HDD vibrations. This minimizes HDD failures and extends the life of the HDDs. This results in long life spans (5+ years) for its Unity systems that consume minimal data center floor space.

• Offers an immutable, unbreakable backup solution. The Unity NV10000 supports block, file, and object storage protocols that respectively offer immutable block and file snapshots and object lock. These features protect enterprise backups and position enterprises to quickly recover. However, some enterprises want even higher levels of protection from ransomware as part of their backup process.

To accommodate these emerging enterprise demands, the company offers an immutable, unbreakable backup solution. This solution combines the Unity NV10000 with its separate Assureon Active Data Vault.

In this configuration, enterprises may tier backups off the Unity NV10000 to Assureon to obtain additional data protection features. These features include data integrity checks, more restricted access controls, and self-healing. Further, enterprises may implement Assureon in the cloud, on-premises, or as part of a hybrid cloud configuration.

• FASTier cache and dual-active controllers for accelerated backups and restores. Every enterprise wants to protect its backups from ransomware, but they still must quickly complete backups and restores. To facilitate these activities, the Unity NV10000 offers dual-active controllers and a FASTier cache with SSDs. These features work in conjunction with one another to offer HA, improved processing, and read-and-write caching.

VAST Data Platform
It distinguishes itself by giving enterprises the exibility to scale either its compute or storage resources independently. To accomplish this, VAST uses a disaggregated and shared-everything architecture (DASE). This design facilitates enterprises adding only the resources that they need as they need them.

The company also represents one of the few cyber secure backup targets to exclusively use an all-flash architecture. Its architecture uses storage class memory (SCM) as a high performance write buffer and global metadata store. It combines that with dense, low-cost flash (currently QLC) which it uses to store backups.

Cyber secure features that the VAST Data Platform offers that help differentiate it from other Top 5 2PB+ cyber secure backup targets include:

• Minimal to no performance backup or recovery penalties despite using data reduction. Backup targets often use data reduction technologies such as compression and de-dupe to minimize storage costs. However, using these technologies often incurs performance penalties during both backups and restores.

VAST’s DASE architecture coupled with its use of flash minimizes or eliminates the normal performance penalties associated with data reduction. VAST stores all hash tables and data reduction metadata in its SCM layer. It then stores all compressed and de-duped blocks on its QLC flash. This combination provides high levels of both data reduction and performance while minimizing flash’s cost.

• Can instantly recover VM. The Data Platform is a universal, as opposed to a purpose-built, storage system. While it can function as a backup target, it also provides production-level performance so it can host recoveries. Further, the firm compresses and de-dupes all data stored on its system using its Similarity Reduction algorithm. This architecture lends itself well to performing instant recoveries that may literally instantly occur. Should an enterprise need to restore a VM, it can instantly recover a backed up VM from deduplicated data.

• “Quick Clean Room” feature. Anytime a ransomware attack occurs, enterprises must always assume a worst-case scenario when performing restores. Among these assumptions, enterprises should start with the assumption that ransomware may reside in the backups they use for restores.

To help enterprises account for this possibility, the Data Platform offers its Quick Clean Room feature. This feature logically and physically isolates connectivity to the platform’s backup data. An enterprise may restore data into this isolated location and test it for ransomware before restoring data into production.