Skip to main content

Greater Ransomware Protection With Data Isolation And Air Gap Technologies

By September 17, 2020March 8th, 2024Blog

Protecting your data and ensuring its availability is your top priority. Like a castle in medieval times, you must always defend it and have built-in defense mechanisms. It is under attack from external and internal sources, and you do not know when or where it will come from. Vigilance is required, and you want multiple levels of safeguards for greater data protection. The same is true for your organisation; a single event can threaten the bottom line or define a career. So how do you prepare? By making sure you’re recovery ready.

Ransomware protection with data isolation and air gap

With cyber threats becoming increasingly sophisticated, having a layered approach to securing your data greatly reduces the risk and impact to your organization. Commvault CompleteTM Backup & Recovery software includes several layers and tools to protectand restore your data and applications. Two proven techniques for reducing the attack surface on your backup data are data isolation and air gapping.

The goal of isolating backup data with Commvault is to have secondary and/or tertiary copies of backup storage targets segmented and unreachable from the public portions of the environment using virtual LAN (VLAN) switching, next generation firewalls, or zero trust technologies. If your organization is infiltrated by ransomware, or a malicious attacker, the cyber threat willhave a limited attack surface. The public portions of the environment may get infected, but the isolated data will not because it cannot be accessed. To be most effective, isolated environments should not be accessible to public networks of the organization as well as the internet. Physical access to isolated resources should be secured and heavily controlled. All inbound network communication is blocked, and only restricted outbound access is allowed. Commvault will then securely tunnel from the isolated storage targets to the Commvault resources and source storage targets for data replication.

Air Gapping is another technique that complements data isolation. Traditionally, air gapped networks have absolutely no connectivity to public networks. Tape is a traditional medium for air gapped backups, because tape can be removed from the tape library and stored offsite. To air gap secondary backup targets on disk, or cloud, some access is needed, but when it is not needed, communication is severed. Air gapping works like a medieval castle. The castle is surrounded by a moat with water, and the walls are impenetrable. The only access allowed to the castle is the drawbridge that is let down periodically to bridge the gap. When the isolated data does not need to be accessed, communication is severed either by turning communication ports off, disabling VLAN switching, enabling next gen firewall controls or turning systems off. This process is fully orchestrated and automatic using the Commvault workflow engine.

Commvault provides secure replication of data to an isolated environment with air gap capabilities. The isolated environment is completely blocked from all incoming connections. Outgoing connections are restricted, which greatly reduces the attack surface of cyber threats. Once data is fully replicated, the connection can be severed, and the secondary data becomes air gapped until data needs to replicate again or recovered.

Key advantages and value of Commvault data protection

Commvault data protection with data isolation and air gap provides organizations the following advantages against ransomware:

Communication is initiated from the isolated site

All access to the isolated data is blocked. Only restricted outbound connections are allowed from the isolated data to the source data for replication. This can be referred to as a pull configuration (as opposed to push), where Commvault manages data protection and retention, but communication initiates from the secured isolated side.

Air gap ready

Replicated data can be air gapped by severing the encrypted tunnel initiated from the isolated site. The Commvault automation framework makes it simple to customize this functionality as required.

Industry leading security controls

Commvault’s AAA Security Framework (Authentication, Authorization, Accounting), provides a suite of security controls to harden the Commvault platform. Additionally, Commvault uses end-to-end encryption, and certificate authentication protecting against malicious data access, man-in-the-middle attacks, and spoofing.

Foundational hardening

Harden the Commvault platform foundation using industry-leading CIS Level-1 benchmarks.

Immutable backups

Utilizing layered security controls, write once read many (WORM) capabilities as well as built-in ransomware protection for backup data; Commvault locks backup data from unauthorized random changes. This also helps prevent intentional and unintentional bad actors from modifying or deleting backup data in order to preserve the integrity of backups.

Data verification

Commvault validates data integrity during backup, when data is at rest, and during data copy operations. When data is backed upfor the first time, CRC checksums are computed for each data block on the source client. These signatures are used to validate the initial backup data and are stored with the backup. Verification operations run automatically utilizing the signatures to validate the backup data at rest. When copying the data, the signatures are used to validate the blocks of data during the copy operation.

Cyber/Ransomware attack protection

Backup data is locked and can only be modified by Commvault processes. Any ransomware, application, or user that attempts to delete, change or modify backup data from the data mover (media agent), will be rejected within the I/O stack unless it is an authorized Commvault process. Additionally, Commvault uses machine learning algorithms to detect file-based anomalies that may indicate a ransomware attack on a Commvault resource.

Hardware agnostic

Commvault supports a variety of disk, cloud, and object storage vendors. When using Commvault for an air gap solution, any supported storage vendor can be used, including the Commvault HyperScaleTM Appliance. Commvault also supports WORM, and immutable locks used with third-party storage devices.

Commvault backup and recovery software integration

Commvault features such as indexing, analytics, and deduplication are all part of the data isolation and air gap solutions.

Download the full white paper to learn HOW IT WORKS

Learn more about ORIIUM’s SaaS ‘Powered by Commvault’ Service