At some point, the chances are high that ransomware will pierce the defenses you have tried to put in place at your healthcare organization. When that occurs, your healthcare organization needs a ransomware recovery strategy, which enhances your typical backup and recovery processes. Below is a three-step program for ensuring that you can recover from an attack.
Step 1 – Frequent Backups
Ransomware, unlike any other disaster, can strike anywhere. No data center is safe. It can also hit at any time, with no warning. Traditional once-a-night backups can mean losing eight hours or more of data. The first step in a ransomware recovery strategy is ensuring that the frequency of backups increases on all data. Modern backup-server software enables IT to execute backups more frequently thanks to block-level incremental backups, significantly reducing that backup transfer payload. Unfortunately, legacy backup storage targets can’t handle the IO load of potentially hundreds of virtual machines or applications sending BLI backups simultaneously. The backup storage target becomes the bottleneck forcing IT to select only a few VMs or applications for this level of protection. A modern solution needs to provide high-performance to ingest hundreds of simultaneous BLI backups while maintaining a low cost.
A few vendors are proposing an all-flash backup appliance. While using a flash-only backup appliance does, for now, resolve the ingest performance issue, it significantly adds to the cost of the backup infrastructure. Despite these vendors’ claims that flash is reaching price parity with hard disk drives (HDD), the reality is HDDs continue to enjoy a 10X price advantage over flash drives. However, the value advantage of HDDs is only realized if the backup storage target can properly support high-density (16TB, 18TB, 20TB) hard drives without forcing the healthcare organization to suffer through a week-long recovery from media failure (RAID rebuild) times.
A modern backup solution needs to blend flash and hard disk drives to create a flash-first backup appliance. Maintaining this balance requires using high-density flash drives and extracting maximum performance from those drives, allowing the solution to rapidly ingest hundreds of BLI backups, maintaining them on the flash-tier for weeks, and automatically moving them to a cost-effective hard disk tier as the backup data ages.
Step 2 – Backup Immutability
Backup data is as vulnerable to a ransomware attack as any other data set, potentially more so because bad actors are now specifically seeking out the backup data set first. Also, many healthcare organizations defy best practices and mount their backup storage repositories as an SMB mount point. Backup-server software is doing an excellent job of detecting ransomware, but backup storage must protect backup data from an attack. The answer is immutability. The backup storage target needs to store each backup job in an immutable state and roll back to any version of the backup data, not just the latest.
Again, a few vendors provide immutable backup storage, but most of these are object storage vendors that leverage the immutable nature of the protocol. This protocol inflexibility requires healthcare organizations to shift from SMB, NFS, or iSCSI mounting of their backup storage to the new protocol. Object storage is not known for high performance, so it won’t keep pace with the high-performance ingest requirement above, forcing the organization to potentially require two backup storage targets for their ransomware recovery strategy.
A modern backup storage target needs to provide 100% immutability of each backup job and have the ability to roll back in time to any version of those backup jobs. Given the sophistication of recent ransomware attacks, the rollback capability must span months to even a year. The immutability needs to be available across all protocols, not just object storage, so the healthcare organization can maintain its current protocol preference, even if it is SMB. The modern backup storage target should also provide its immutability with no impact on performance, regardless of immutable backup depth, so it can continue to meet the requirements of step one.
Step 3 – True Instant Recovery
Once ransomware infects an organization, IT is in a race against time. IT must determine what part of the data set the malware is infecting, identify the backup data not infected, recover that data, reverify one more time, and bring applications back online. Even under ideal circumstances, the process will take some time.
The good news is that most modern backup-server software can instantiate the virtual machine’s or application’s data on the backup storage devices, saving network transfer time. The process is often called instant recovery. Some backup-server software solutions go so far as to scan the instantiated data before making it available.
The first two steps are critical in making instant recovery practical for ransomware recovery. First, IT needs to have a recent copy of data before the attack to avoid losing multiple hours or even days of new and modified data. Second, IT needs to have confidence that they can access versions of backups that are immune to the attack.
The third and most critical element is ensuring that IT can return users and applications to operation quickly. In theory, instant recovery-like features should help; the problem is, again, the backup storage target. Legacy backup storage offers performance that is so much slower than the production equivalents that they are unusable. Also, their poor performance slows down the inspection process of making sure no malware is resident on the recovered data.
A modern backup storage target needs to, once again, leverage its flash tier to solve this problem. The flash tier has to extract the maximum performance from eight to twelve flash drives. If it can, then the flash tier will provide the performance the backup-server software needs to rapidly validate the data and make it available to the production virtual machines or applications directly.
The modern backup storage target also needs to provide enterprise-class high availability and data protection so that IT gains the benefit of time. The IT team can take the time to make sure that they eradicate the malware from the entire infrastructure before they start moving the dataset back to its original location. This benefit of thorough malware eradication is only possible if the modern backup storage target can provide a production-class environment from which to host the healthcare organization’s data while this eradication is underway.
About George Crumphas
George Crumphas over 25 years of experience in the storage industry, holding executive sales and engineer positions. Before joining StorONE, he was the founder and lead analyst at Storage Switzerland.