Air Gap – Allowing your backup data to breathe life back into your organization in times of crisis

Catalogic 03/27/2020 1 Comment

We live in a data-driven age where data is the lifeblood of organizations. Due to this, cybercrime is skyrocketing, cybercriminals seek to exploit human or security vulnerabilities in order to steal passwords, data or money directly.

Many organizations have recently been subject to outages as a result of attacks by cybercriminals, outages that cause loss of data, services, reputation and revenue.

According to research, cybercriminals in 2019 made revenue in excess of $1.5 trillion. To put this into perspective – Walmart, Amazon, Apple, Microsoft, Facebook and Tesla combined made an annual revenue of $1.28 trillion.

Cybercriminals will use any scenario in an attempt to financially benefit — even the COVID-19 pandemic.

Cybercriminal activity is one of the biggest challenges that humanity will face moving forward

A key goal for every organization is to ensure that cybercriminals are kept out. But due to the number of security vulnerabilities in operating systems and software, it’s almost impossible to do so, even with the best security and infrastructure expertise. Disruptive situations like all staff suddenly working from home outside of internal firewalls can also open up organizations to new or increased threats.

While I’m a fan of disk-to-disk backup solutions due to the speed and simplicity, they are vulnerable to risk if all your backup data resides on network connected devices. It’s a vulnerability I have seen exploited and, unfortunately, if both your primary data and secondary data is locked or infected then you’re exactly where the cybercriminals want you to be, stuck in between a rock and a hard place.

Based on that vulnerability, all organizations require a resilient and robust data protection strategy and solution to ensure they can recover from cyber-attacks. The data protection strategy and solution should enable data to be protected as required via the organization and ensure all services can be restored back to a functional and working state.

So, if a disk-to-disk data protection solution is a vulnerability, what’s the answer?

An Air Gap

What’s that? What the term means is a device, computer, or network that has no network interfaces connected to other networks i.e. Internet or LAN with a physical or conceptual air gap. If the location your data resides has no connectivity, then it cannot be hacked. Therefore, an air gap is a security measure that protects data from intrusion and enables immutability.

Many organizations incorporate an air gapped copy into the 3-2-1 backup and recovery strategy.

3-2-1 means you have at least 3 copies of your data, 2 of which are local but on different storage mediums i.e. disk and tape and 1 copy of which is offsite (air gapped) on either tape or in a more modern cloud object storage offering (check the finer details on these as only a few are immutable). 3-2-1 is always a good starting point for organizations creating or reviewing data protection strategies.

See what an example architecture of a 3-2-1 air gapped solution looks like with Catalogic DPX.

Air gap is most often enabled via most opinion dividing media in the market, tape.

It’s the media that more experienced IT professionals tend to love, and execs, marketing, and newer generation IT professionals tend to hate. Let’s have a look into why.

Some of the more common reasons people love tape:

  • It’s reliable – magnetic tapes can still be read safely after 30 years, while the average hard drive will generally only last around five years
  • It’s secure and enables air gapped solutions
  • It’s scalable
  • It’s cost effective – mostly due to high capacities, with LTO-8 providing 12TB native and up to 30TB compressed capacity per cartridge and it has reduced energy costs vs. disk
  • It’s quicker than its given credit for, with a max uncompressed speed of 360MBps and a max compressed speed of 900MBps when using LTO-8
  • It’s used by technology giants such as Amazon, Microsoft and YouTube
  • It isn’t going to die anytime soon with LTO-9 and LTO-10 already announced and capacities and transfer speeds continuing to increase

Some of the more common reasons people hate tape:

  • Complex management and requirement for expertise in a backup product to manage and orchestrate the tapes. If not correctly managed, it quickly becomes unmanageable and can result in data not being recoverable and tapes becoming misplaced
  • Time to restore – a DR scenario involves the movement of the tape to an offsite location and then manual steps taking via experts to get the data restored. DR testing is key to understand the RTOs that are achievable from offsite tapes
  • High initial capex investment to purchase suitable librarie(s), drives, connectivity, server(s) and tapes for production and DR (DR could be a shared site offered via a business continuity provider with access to the relevant infrastructure)

Love it or hate it, it’s here for the long term. However, if you are really opposed to tape for air gapping, have a look at some of the more modern solutions available such as immutable cloud object storage from IBM, immutable blob storage from Microsoft, and S3 object lock from AWS.

Why are air gaps so important? With them in place we don’t let cybercriminals win – paying the ransom only breeds more of the same kinds of attacks. Ensure your data is protected via a 3-2-1 backup and recovery strategy including an air-gapped offsite copy with Catalogic DPX. Things have come a long way in the world of backup and recovery in the last 20 years, during which Catalogic has been focused on the creation of robust solutions such as air gaps that enable backup data to breathe life back into your organization in times of crisis.

If you want to learn more, get a no obligation quote, or run a proof of concept, feel free to get in contact with us. Look forward to hearing from you.

In my previous post, I discussed how snapshots are a feature, and not a solution. Snapshots, in conjunction with RestoreManager, can enable NetApp users to have a valid data protection solution. In this post, I’m going to discuss how snapshots are an important feature to recovering data effectively and efficiently in the event of a ransomware attack.

Sadly, we live in a day and age whereby ransomware is the “go-to method of attack” for Cybercriminals. According to Cyber Security Ventures, it’s estimated that every 14 seconds a business falls victim to a ransomware attack. We see details of the impact of attacks in the news on almost a daily basis, and it’s severely impacting the ability of all business types to generate revenue and function normally. The damage of these attacks is costing billions globally, with the estimated cost predicted to reach over $20 Billion by 2021.

Due to this, a question frequently asked at Catalogic is, “how can I ensure my content within my NetApp environment is fully protected from the threat of ransomware, and more importantly, enable the ability to only recover potentially infected files of ransomware hits?”

Our simple answer: CryptoSpike

CryptoSpike delivers real-time detection of ransomware on NetApp file systems. It enables protection through 3 key elements:

  1. The Blacklist – This stops ransomware at the front door. The Blacklist contains over 2960 file types and ransomware signatures, meaning we prevent these from being stored on the filer. This Blacklist is automatically updated via a global team that are collecting information regarding the latest known ransomware attacks signatures and file types from multiple sources.
  2. The Whitelist – This blocks all file types except the allowed file type list. This is very good from a security perspective, but limits types of files. This works very well when applied at a granular level i.e. an accounting folder allows only Excel files in a specific share.
  3. The AI Learner Module – The most intelligent part of the product, the AI Learner Module. Because we are monitoring SMB transactions on the filer, we can detect unusual behavior i.e. too many files read or altered in a period of time vs. that user’s typical behavior and cut off user access. This means if an unknown or cutting-edge attack starts or even a malicious user is wanting to start wreaking havoc, CryptoSpike prevents this from happening via blocking the user.

We can setup granularity, as well as, all SMB transactions to be monitored for clusters, SVMs, volumes, and shares.

The impact of the monitoring being made active is very minimal. Generally, you can expect up to 0.3ms increase in latency due to the TCP packets being sent between ONTAP and the F-Policy servers.

All this sounds great, but what about the ability to recover data in the event of a ransomware attack?

One of the key differentiators of CryptoSpike is we provide the ability to quickly restore individual files from snapshots – meaning in the event of a ransomware attack or data breach, you only recover the impacted data. Enabling NetApp users to use Snapshots as a valid ransomware protection solution.

Data recovery can be quickly and easily identified via file activity reporting. This is because CryptoSpike monitors and logs all user file access (reads, writes, opens, etc). This means you can identify who was infected, who accessed which files, who has made changes to files, and who has deleted files. You are then able to make quick business orientated decisions to ensure the businesses data is quickly recovered and available again to ensure continued normal business operations.

Additionally, CryptoSpike is incredibly simple to deploy with minimal resources required for 1x CryptoSpike Server and 2x F-Policy Servers.

The requirements for these are as follows:

  • CryptoSpike Server
    • 8vCPU
    • 4GB RAM
    • Minimum 100GB Disk Space
  • CryptoSpike FPolicy Server
    • 4vCPU
    • 4GB RAM
    • Minimum 20GB Disk Space
  • Connection between Data LIF SVM <-> FPolicy Server (high performance, low latency)
  • Connection between FPolicy Server <-> CryptoSpike Server (high throughput)
  • Connection between CryptoSpike Server <-> ONTAP Mgmt. (not performance critical)
  • Connection to https://cryptospike.prolion.at (for Black-List loading)
  • Connection to https://cryptospike.prolion.at/repository/ (for general updates)

All can be deployed via OVA files into VMware vSphere environments. An example of the architecture of a typical CryptoSpike setup is shown below:

Image: CryptoSpike Example Architecture

We understand that companies are hesitant to deploy CryptoSpike based on the potential impact it has in blocking user access to critical file data. To ease those doubts and ensure no actions are taken at the start of proof of concept, we recommend you put CryptoSpike into asynchronous mode. In asynchronous mode, Cryptospike will not block anything. The user will appear in “Blocked Users”, but an email notification will be sent to ensure the user has not been blocked. After a period of 7+ days, you can then switch from asynchronous mode to synchronous mode making CryptoSpike live, and your environment protected.

If you want to learn more, get a no obligation quote or run a proof of concept, feel free to get in contact with us to quickly provide you with what you are looking for.

Ransomware/Malware Protection:

Ransomware activity is at an all-time high in 2020. Researchers estimate that a business is attacked by a cybercriminal every 11 seconds and expect that damage costs from these attacks will hit around $20 billion by 2021. With so many employees working remotely, accessing networks and critical data from personal devices and potentially flawed VPNs, it is especially important to prevent Ransomware threats from accessing business-critical NAS data in CIFS and NFS shares.
That is where Catalogic Software’s CryptoSpike comes in.
CryptoSpike is ransomware protection, prevention, and recovery tool that is designed to protect NAS data stored on CIFS and NFS shares on NetApp storage. It leverages NetApp’s FPolicy to monitor user behavior and identify when suspicious activity is occurring, stopping those activities in their tracks. CryptoSpike also integrates directly with NetApp to utilize single-file restores from NetApp snapshots to help recover from any attack. This prevents the need to revert an entire snapshot, essentially losing all of the files across that volume.
CryptoSpike can protect your data from COVID-19-themed ransomware attacks, as well as other traditional and evolved forms of ransomware. Cryptospike actively monitors suspicious behavior, quarantining possible threats, and by giving you the ability to recover only files affected by the attack.

File Access Transparency and Data Governance

But data security is not always about protecting your data from outside threats. Consumers’ personal information needs to be secure within your organization, as well. Data governance is the process of managing the availability, usability, integrity, and security of the data in enterprise systems, based on internal data standards and policies that also control data usage. Effective data governance ensures that data is consistent and trustworthy and doesn’t get misused.

Catalogic Software’s portfolio contains multiple products that can help maintain data governance standards. CryptoSpike for example provides file access transparency for file activity auditing. Through its FPolicy collection mentioned above, CryptoSpike collects all file activity and stores that activity data in its database. It then leverages Grafana Dashboards to provide a visual representation of this audit data that can be filtered to show activity for certain users, time frames, shares/volumes, etc. If, for example, a disgruntled employee is somehow able to view/copy/delete files that they should not have, CryptoSpike can provide a detailed list of those actions, and also restore those files to an earlier snapshot if needed.

Another product called RestoreManager can also help maintain an effective data governance standard, by providing analytics and reporting on user’s file permissions and ownership. RestoreManager is a virtual appliance that can provide an online catalog of NetApp NAS data for an index, search and restore of individual files or folders. To provide this index of NetApp snapshots, RestoreManager performs a SnapDiff/CIFS crawl of file shares, storing that crawled metadata in an Elasticsearch database that is local to the appliance.

This allows for instant “google-like” search for files/folders. It also allows end-users to generate customizable reports for analyzing that data, using Kibana Dashboards. These reports can help better understand exactly what type of data is stored on the NetApp systems, how old that data is when it was last modified, etc. And, for the topic of data governance, can present information on specific permissions that users have on individual files and folders, and also a list of files that each particular user “owns.”

Data Masking of Oracle Data for Data-Reuse

Another area where data security is extremely important is when production data is moved to non-production or cloud environments for testing or development purposes. Oftentimes, since non-production environments are generally not as protected or monitored as production environments, they become an easy target for cybercriminals. This means that when Oracle databases, for example, are copied to a non-production server for test-dev purposes, the data stored in those Oracle databases are at risk. For many organizations, take a hospital for example, that data will include customers’ personal information, like credit card numbers, social security numbers, etc. Because of this, it is extremely important that when Oracle databases are mounted non-production environments, this personal information is masked in some way. Data Masking is the process of replacing sensitive values, like credit card numbers, with a fake yet realistic-looking number.

ECX, another product developed by Catalogic Software, provides the ability to seamlessly integrate with Data Masking software to automatically mask Oracle data as it is being mounted on a test server for development testing.

ECX provides automation and orchestration of application-consistent storage snapshots that can be used to backup and restore databases for applications like SQL, Oracle, and SAP HANA. This means that ECX can understand what storage volumes need to be snapshotted to protect specific applications. It then uses those snapshots to “restore” or spin up those databases on the same or alternate Oracle server for a variety of use cases. In this particular example, when ECX is tasked to copy an Oracle database from a production environment to a test server, the “restore” job can include integrated data masking workflows that will then mount a masked copy of that database to be used for development. This way, if there is a security breach in that non-production environment, cybercriminals will only have access to fake personal information.

Additional Data Security Features

In addition to masking Oracle data, ECX also can structure role-based access controls for the backup data, as well as the cloned volumes, VMs, and applications created by ECX. This means that ECX can limit the permissions of ECX users within the web-based GUI to view/perform certain tasks for specific use cases. SQL DBAs for example, may be granted the ability to run individual SQL-specific backup and restore jobs, but will not have the ability to run any Oracle-based jobs, or make changes to any backup SLA policies.

This feature is available in Catalogic Software’s DPX product as well. DPX is the first product that Catalogic launched in the late ’90s. It is an all-purpose backup and restore solution for virtual and physical machines, that can backup to multiple backup destinations like disk, tape, or cloud. This includes its own software-defined backup target that Catalogic developed called vStor.

Just like with ECX, DPX allows for structured role-based access controls to define specific backup users, etc. limiting them in areas that they should not have access to.

Another way that DPX promotes data security is its ability to perform encryption of backup data. This includes encryption for tape drives attached to a NetApp device. With hardware encryption, the tape device encrypts data as it is written to the tape. DPX can also perform disk-level encryption using its vStor appliance mentioned above.

As you can see, Catalogic Software understands that, especially in 2020, protecting you and your customers’ information is a top priority. That is why data security is a major aspect of Catalogic Software’s product portfolio.

CryptoSpike is specifically designed to protect you from and prevent the spread of Ransomware activity on your NetApp NAS data. It also helps maintain an effective data governance standard by providing file access transparency for auditing. If you would like to learn more about CryptoSpike, go to

RestoreManager also helps with data governance by providing granular reporting and analytics on file permissions and ownership. You can learn more about RestoreManager here.

Catalogic’s ECX allows for automated recovery/copy of masked oracle data using storage snapshots. ECX can integrate with any of the data masking solutions out there, removing the risk of consumers’ personal information from being vulnerable in non-production environments. ECX also features granular role-based access control to limit the permissions for application or backup-specific roles.

And finally, DPX is Catalogic’s all-purpose backup and restore appliance. DPX also features role-based access controls, as well as multiple encryption options for backup data.

Comment (01)

  1. 06/16/2021

    Cool, there is really some excellent details on here, many of my followers will possibly find this related, will send a backlink, cheers.

Leave a Reply

Your email address will not be published.

Let us show you around