How Actifio Protects Against Ransomware and Malware
My name is John Meyers and I’m the Chief Security Officer here at Actifio. In the midst of the pandemic, I’m getting a lot of questions from our customers and prospects surrounding ransomware and malware. In particular, can my backups be damaged, encrypted, or destroyed?
With Actifio the answer is fortunately no, but I’d like to explain why. Actifio doesn’t work like ordinary backup systems, at time .0, we’re going to take some ingested data. As time marches on, according to the SLA that you specify, we’re going to continuously take more and more of these ingests up to time .N. Now internally, the way we represent these point in time images is a series of changes or deltas that represent everything that’s different between the point now, and the previous point.
When you go to mount some data, let’s say we want to mount this point in time, you can do so over Fiber Channel, iSCSI or NFS, and what Actifio under the covers is going to do, is essentially play back or forward this chain of changes at wire speed, giving you the appearance of a full or synthetic full image. Now, the moment you mount something, you’re going to write changes to it.
The fear that I think everybody has is this, that you might be able to write changes back to that original point in time image potentially damaging it or corrupting it and the answer is no, absolutely not. You cannot do this, because this is a series of changes the system was designed from the ground up to be immutable at each point in time. If you were to change this, the series of changes would fall apart and this wouldn’t work.
Not only can you not do this, there is no interface to do it, it simply does not exist. When you actually mount and write changes, you’re writing changes to your own little sandbox that’s associated with that mount, not the original point in time image. When we do multiple mounts, every consumer of that mount, has its own little sandbox associated with that mount where the changes are being tracked and recorded.
You’re never overriding this image. Now, in the case of a ransomware or a malware infection, if you mounted this image, yes it is susceptible to being attacked or encrypted or overwritten or damaged by malware or ransomware, and that could happen, and let’s just say, for instance that it does happen and that mount is somehow destroyed or corrupted. It’s no problem though, you’ve lost this mount, you tear it down, you mount it again and you have a perfectly pristine image with no tint or trace of the malware on it. And this image will be at time zero, bit for bit identical to the moment it was created.
In fact, if you look at the description of this video, I have a link to a live demo I did where I took some actual ransomware, in that case WannaCry and showed this. Well, I took a mount, I let it get encrypted, I showed that you could tear it down and recreate that mount and have no presence or trace of that ransomware anywhere. So if you are infected with ransomware, the bottom line is that you will always be able to use Actifio to recover from it.
I mentioned that these point in time images were immutable, but they can be deleted or expired, as we say, by an authorized Actifio administrator. Now, ransomware is not going to do this, there is no ransomware out there today that knows how to expire Actifio backups, and if it did, it would need the credentials to do so. But, if you had a bad actor who got into your network compromised your Actifio administrator’s credentials, or you have a rogue employee who wants to cover their tracks, yes, they could potentially destroy or delete these point in time images, or potentially all of Actifio itself.
Do we have some protections for that? The answer is yes. In the product, we have something called retention block, which is just a number in days that you can apply to any SLA within the system. And it doesn’t even have to apply to the whole SLA, it can be for a certain type of job. It could be snapshot, de-dupe or object storage on Vault and only potentially some of them.
We might say, we take a lot of backups, maybe once a month. We want to take one backup, one snapshot here and we’re going to replicate that to some object storage and we’re going to say, it’s immutable and can’t be deleted for 30 days. Once we’ve set the retention lock, no one, not even an Actifio superuser can expire or delete that image.
We can even take that one step further, and if we have written this to object storage, there are certain object storage platforms such as IBM’s Cleversafe, or Cloud Object Storage that we can actually pass information to on a per object basis, and we can tell it that any objects in this pool that are associated with this image that the administrator has said needs to be kept for 30 days, will be enforced at the object storage level itself.
Now you have multiple layers of protection against deletion. The image cannot be deleted locally at Actifio and it cannot be deleted within the object storage platform itself. So even if a bad actor or a rogue employee was able to completely damage or wipe out all of the on premises Actifio storage, the data would persist. In fact, all the information or the metadata needed to recover this image is contained within the image itself. So you can guarantee that you will be able to access this data, even if everything else is lost.
Retention lock isn’t for everybody, it does consume storage. And once you set it, you can’t remove it, so proceed carefully. But in some cases it does have significant value, particularly useful in organizations which have to by-law, in the financial services sector, maintain certain records, this type of technology is actually required. But it can be used by anyone.
In any case, if you have any further questions, concerns, or you find yourself the victim of ransomware or malware, don’t hesitate to reach out to your Actifio representative, or open a support case on our support portal Actifio now. We’ll be happy to assist, and we’ve done so in past for many other customers. Thank you very much and stay safe out there.