Snapshots Are a Feature, Not a Solution
Snapshots are a thing of great beauty and utility. They have enabled data to be protected and reused quickly and efficiently. They now provide many organizations with the foundation of their data reuse and data protection solutions. Snapshots have regularly saved organizations from major incidents and disasters via the enablement of quick recovery of data.
Storage snapshots are a feature offered via the vast majority of enterprise storage players NetApp, IBM, Pure Storage, Dell EMC and others. The key word in that sentence is FEATURE. Storage snapshots are only a piece of the puzzle and not a complete solution for enterprise data protection.
NetApp was one of the pioneers of storage snapshots and introduced the “point-in-time” storage snapshot capability. They enabled the orchestration of snapshots, SnapMirrors and SnapVaults via ONTAP and provided end users with a comprehensive scheduling engine in the product, a function that some vendors did not and still do not natively include.
The key puzzle piece missing for NetApp users to turn snapshots from a feature into a solution is a central catalog to understand what data sits in these snapshots. Because much of what sits in these snapshots is completely dark. Would you settle for a car insurance plan with mystery coverage limits and no way to file a claim easily? Then, why settle for something similar for your data?
RestoreManager creates a central, online file index of every NetApp snapshot, giving you a single catalog-based view into your files and all their protected versions to go back to. You can search snapshots using multiple criteria and restore files and folders right from within RestoreManager with a single click. The catalog and one-click orchestration extends snapshots from being a feature to a viable solution for operational data recovery.
Furthermore, RestoreManager indexes both primary and secondary storage. Very often, primary snapshots are only maintained for a few days. Many customers rely on SnapMirror and SnapVault array-based replication options to keep a secondary and tertiary copy for DR. Array replications are often the most efficient form of replication because it preserves dedupe and compression. Third party backup appliances tend to rehydrate the data and reduce it back at the target – a lot of burden on both primary and secondary controllers for a net zero effect.
By also indexing SnapMirror and SnapVault destination volumes, Restore Manager can find older versions of files that have been moved off your primary storage. This extension, combined with the more efficient array-based replication methods, extends the snapshot from a feature to not just a solution for operational recovery, but also a solution for disaster recovery.
RestoreManager enables NetApp users to turn snapshots into a valid data protection solution
So how does RestoreManager work?
Immediately after a new Snapshot of a volume has been generated, RestoreManager uses the SnapDiff API to gather the relevant metadata from the files and folders and loads this data to its central database. Searching is now easy with this central index in place. With a single click, you can restore the files you find to a specific folder or to their original location.
Many filters enable targeted searching:
- By file name, parts of the name or file path, with wildcards being permitted
- By data type or file ending: jpg, xls, doc, ppt, etc.
- By deletion period
- By creation period
- By file size
RestoreManager can selectively index primary systems only, secondary systems only, or both. The choice is up to the users and depends on file recovery requirements. RestoreManager utilizes a highly scalable Elasticsearch database to store its index and serve your search queries.
RestoreManager supports all versions of the ONTAP operating system for NetApp primary storage systems. For NetApp SnapVault and SnapMirror targets, RestoreManager works with both ONTAP and NetApp Cloud Backup (formerly AltaVault).
RestoreManager now also provides even better value for money following the addition of the Kibana Dashboards which allows the rich metadata catalog to be turned into visual insights:
- The number of files and total storage space used by files based on their type (e.g. Office files, email, images, etc.)
- The age of your file data, which can also be grouped by type
- How to identify unused or under-used storage and VMDKs
- How to identify stale files that haven’t been accessed over a defined period
Restore Manager now offers Data Analytics as well. Please review our updated datasheets here: Scalable NetApp File Catalog with Data Analytics
In my previous post, I discussed how snapshots are a feature, and not a solution. Snapshots, in conjunction with RestoreManager, can enable NetApp users to have a valid data protection solution. In this post, I’m going to discuss how snapshots are an important feature to recovering data effectively and efficiently in the event of a ransomware attack.
Sadly, we live in a day and age whereby ransomware is the “go-to method of attack” for Cybercriminals. According to Cyber Security Ventures, it’s estimated that every 14 seconds a business falls victim to a ransomware attack. We see details of the impact of attacks in the news on almost a daily basis, and it’s severely impacting the ability of all business types to generate revenue and function normally. The damage of these attacks is costing billions globally, with the estimated cost predicted to reach over $20 Billion by 2021.
Due to this, a question frequently asked at Catalogic is, “how can I ensure my content within my NetApp environment is fully protected from the threat of ransomware, and more importantly, enable the ability to only recover potentially infected files of ransomware hits?”
Our simple answer: CryptoSpike
CryptoSpike delivers real-time detection of ransomware on NetApp file systems. It enables protection through 3 key elements:
- The Blacklist – This stops ransomware at the front door. The Blacklist contains over 2960 file types and ransomware signatures, meaning we prevent these from being stored on the filer. This Blacklist is automatically updated via a global team that are collecting information regarding the latest known ransomware attacks signatures and file types from multiple sources.
- The Whitelist – This blocks all file types except the allowed file type list. This is very good from a security perspective, but limits types of files. This works very well when applied at a granular level i.e. an accounting folder allows only Excel files in a specific share.
- The AI Learner Module – The most intelligent part of the product, the AI Learner Module. Because we are monitoring SMB transactions on the filer, we can detect unusual behavior i.e. too many files read or altered in a period of time vs. that user’s typical behavior and cut off user access. This means if an unknown or cutting-edge attack starts or even a malicious user is wanting to start wreaking havoc, CryptoSpike prevents this from happening via blocking the user.
We can setup granularity, as well as, all SMB transactions to be monitored for clusters, SVMs, volumes, and shares.
The impact of the monitoring being made active is very minimal. Generally, you can expect up to 0.3ms increase in latency due to the TCP packets being sent between ONTAP and the F-Policy servers.
All this sounds great, but what about the ability to recover data in the event of a ransomware attack?
One of the key differentiators of CryptoSpike is we provide the ability to quickly restore individual files from snapshots – meaning in the event of a ransomware attack or data breach, you only recover the impacted data. Enabling NetApp users to use Snapshots as a valid ransomware protection solution.
Data recovery can be quickly and easily identified via file activity reporting. This is because CryptoSpike monitors and logs all user file access (reads, writes, opens, etc). This means you can identify who was infected, who accessed which files, who has made changes to files, and who has deleted files. You are then able to make quick business orientated decisions to ensure the businesses data is quickly recovered and available again to ensure continued normal business operations.
Additionally, CryptoSpike is incredibly simple to deploy with minimal resources required for 1x CryptoSpike Server and 2x F-Policy Servers.
The requirements for these are as follows:
- CryptoSpike Server
- 4GB RAM
- Minimum 100GB Disk Space
- CryptoSpike FPolicy Server
- 4GB RAM
- Minimum 20GB Disk Space
- Connection between Data LIF SVM <-> FPolicy Server (high performance, low latency)
- Connection between FPolicy Server <-> CryptoSpike Server (high throughput)
- Connection between CryptoSpike Server <-> ONTAP Mgmt. (not performance critical)
- Connection to https://cryptospike.prolion.at (for Black-List loading)
- Connection to https://cryptospike.prolion.at/repository/ (for general updates)
All can be deployed via OVA files into VMware vSphere environments. An example of the architecture of a typical CryptoSpike setup is shown below:
We understand that companies are hesitant to deploy CryptoSpike based on the potential impact it has in blocking user access to critical file data. To ease those doubts and ensure no actions are taken at the start of proof of concept, we recommend you put CryptoSpike into asynchronous mode. In asynchronous mode, Cryptospike will not block anything. The user will appear in “Blocked Users”, but an email notification will be sent to ensure the user has not been blocked. After a period of 7+ days, you can then switch from asynchronous mode to synchronous mode making CryptoSpike live, and your environment protected.
If you want to learn more, get a no obligation quote or run a proof of concept, feel free to get in contact with us to quickly provide you with what you are looking for.